Configure certificate-based console authentication
You can set up certificate-based authentication in an on-premises envorinment so that administrators and users can log in using an authentication certificate.
BlackBerry UEMverifies certificates against the issuer, verifies that the certificate is valid using the certificate OCSP or CRL settings, and verifies that the certificate matches a user in the
This feature is not supported by
BlackBerry UEM Cloud.
Obtain copies of the CA certificates that issue your administrators' and users' client certificates in .cer or .der format.
- On the menu bar, clickSettings>General settings>Certificate-based console authentication.
- SelectEnable certificate-based authentication.
- ClickBrowseand navigate to the location where you saved the CA certificate files. Select a file and clickOpento upload the certificate toBlackBerry UEM.BlackBerry UEMtrusts all certificates issued by that CA. Repeat this step to upload additional certificates.
- SelectCheck for user principal name for SANto requireBlackBerry UEMto verify that the user principal name in the certificate matches a user in theBlackBerry UEMdatabase.If the user principal name in the certificate matches a known user,BlackBerry UEMgrants access according to the user's permissions.
- SelectCheck for email addressto requireBlackBerry UEMto verify that the user email address in the certificate matches a user email address in theBlackBerry UEMdatabase.If the user email address in the certificate matches a known user,BlackBerry UEMgrants access according to the user's permissions. If you select bothCheck for user principal name for SANandCheck for email address,BlackBerry UEMchecks the principal name before the email address and grants access if the principal name matches. If neither check finds a match between the certificate and a known user,BlackBerry UEMdenies access.
If users access
Mozilla Firefox, the user must add their client certificate to the
Firefoxcertificate store to authenticate with
BlackBerry UEMusing certificate-based authentication.